OpenSSL Heartbleed bug – Why SSL alone can’t be trusted

Posted by Ankur Panchbudhe on April 9 2014

A serious bug dubbed Heartbleed (www.heartbleed.com) has been detected in a cryptographic library, called OpenSSL, which powers more than half of websites. This vulnerability can provide access to system information, which may be sensitive in nature, including the keys used for encryption – making the information being transferred visible to third-party as if it is not encrypted at all.

There have been similar vulnerabilities detected in the past – like one detected a few months back in iOS – the software that powers the most popular mobile devices iPad/iPhone. Also, Man-in-the-middle attack (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) is not very uncommon, for spoofing SSL connections.

Isn’t this scary? Particularly for businesses dealing with sensitive information, this would mean loss of credibility, violation of compliances and so on.

At Vaultize, we believe in “trust nobody”, when it comes to sensitive information. And, that’s why we secure the data by encrypting it on the user device itself before being transmitted on a SSL channel. Most other Enterprise File Sharing and Sync (EFSS) solutions transmit the data as-is, with the belief that SSL alone can ensure the security, and encrypt it only in the cloud. And, because the encryption/decryption happens in cloud, the encryption keys are in total control of the EFSS vendor.

Vaultize’s patent pending encryption technology used in file sharing and mobility ensures that the data is encrypted (and later decrypted) only on endpoints, whether mobile or non-mobile. That means, while in transit what goes over the wire is encrypted (data-in-motion) and the data stays encrypted while on the cloud storage (data-at-rest).

Vaultize further enhances privacy of your organization’s data by allowing you to own and manage the encryption keys through our ‘Data Privacy Option’ (DPO). With DPO, you are given physical control of the encryption keys and Vaultize will never store any keys in any of its infrastructure – ensuring complete privacy and mitigation of security risks exposed by any vulnerabilities in communication software like openSSL.

Additionally, Vaultize provides endpoint encryption, wiping, geo tracking and geo fencing. Endpoint encryption helps enterprises encrypt sensitive information on endpoints ensuring protection against unauthorized access and potential data leakage from a lost or stolen device; and securely erase sensitive data from such a device.

Further, Vaultize offers deployment options other than public cloud. You can deploy it on-premise in a single-server or multi-server (scalable cloud environment) with different redundancy and high-availability configurations. Vaultize also offers purpose-built (industry’s first) appliance series (Cloud-in-a-box).

Under all the deployment options, you get the flexibility to choose between Vaultize’s standard storage, cloud storage options (like Amazon, Azure), your own on-premise storage within your data center and/or your private cloud storage.

So, choose Vaultize – End-to-end Protection and Privacy”!

Topics: Miscellaneous, Features

Subscribe To The Blog